Posted
by
samzenpuson Monday July 08, 2013 @12:15PM
from the protect-ya-neck dept.

hypnosec writes "Nintendo has revealed that it has detected illicit logins in nearly 24,000 accounts on one of the main fan sites in Japan 'Club Nintendo' and account details such as real names, addresses, emails and phone numbers may have been accessed. According to Nintendo the mass login attempts have been made using a list of login credentials containing usernames and password obtained from some service other than Nintendo. The company revealed that it detected over 15 million login attempts out of which 23,926 were successful."

How much brute force traffic do you expect before you do something? Especially after Sony got a kick in the nuts with this.
Also, I'd expect children to have awful dictionary passwords with only the cleverer dyslexic kids being safe. Their own name and some numbers being the limit. Shame, they could have set some pictures and set up a really good Nintendo'ish password system. More secure than adult stuff now I come to think how it would work.

I have accounts where the password is something useless like that. Those are on sites where the host forced me to create an account to get a coupon or something similarly idiotic to drive up their subscription rates. I suspect these hackers have a nice long list off accounts for the surname "yourself"

I have accounts where the password is something useless like that. Those are on sites where the host forced me to create an account to get a coupon or something similarly idiotic to drive up their subscription rates

When you come across these sites you should post your log-in info to http://www.bugmenot.com/ [bugmenot.com] It's helped me get into sites that I didn't wish to log into and I pay back by posting log-in's myself.It's become well known and many sites have requested theirs not be listed; but in the long run it works very well.

Well at least in my neck of the woods the most popular number combo is folks SSN scarily enough. i don't know how many times I have had a customer write down their username and password so I can get in and do the work only to find its their SSN.

This is why I have been saying for years we really need smart cards or biometrics or something, as the amount of people out there using crazy simple passwords is just nuts. Their SSN, their BDay, the name of their kid or pet, people honestly don't think when it com

I have lots of easy to guess passwords if they allow 15 million attempts on an account.

More like they tried 15M attempts at logging in with various username-password combinations, of which 24,000 of them were successful.

Though, given how little information Nintendo asks, one wonders what the whole point is - I don't think Nintendo even asks for an address until they absolutely need it, so if it was an account created but not really used, there's no information at all. Maybe a few coins, but you can't take t

Does Club Nintendo use unique usernames, or email addresses for login? Someone probably just got a hold of one of those old Facebook or Twitter lists and decided to try those creds here. Most people use the same password for everything. I'm always reminded of this when setting up an account on random gaming forums. Who's to say they aren't just collecting creds and then later trying them on Facebook, Twitter, etc or getting into my game account and sharding my purples.

It should be very obvious how to guess the difference between a human logging in an a bot.

If a user is generating 100k failed password attempts a minute, day, week, month, or even a year, chances are they are a bot.

Also if someone is logging in from various places around the world, chances are its a bot. If the user sets up an account from the US or Canada, but is logging in from China one minute then Russia another, its probably a bot.

Also even if the bot has 1 failed attempt a day using some discretionar

Also even if the bot has 1 failed attempt a day using some discretionary attack, at some point a server should realize that there is no human stupid enough to fail to enter a password properly on a regular basis. I mean once you enter your password in most browser or on the Wii console, you don't even have to type it in again, so 3 failed attempts in any given period of time should lock you out of your account, period.

Except Club Nintendo is NOT tied to anything you already have. It's a separate account and

Guildwars - I've screwed up and typo'd the damn pw (n)x times in a row w/o hitting their limit. Of course, it's also a registered IP with them so maybe the system would lock things if to many failures from various unrecognized locations.

A bunch of Pokémon fansites were hacked recently (here's one reasonably detailed report from one of the sites). Although as far as I know no plaintext passwords were stored on any of the servers, there were a bunch of password hash databases taken; and because Pokémon is a Nintendo property, Nintendo's website would be an obvious place to try any username/password pairs that were weak enough to be reversed from the databases (and some plaintext passwords would be available as a result of compromis

I have a club nintendo jp account (no notice of hacking yet, though I did receive notice from Yahoo above). From memory the user ID for the club nintendo service needed to be an eight digit number rather than a more usual word based UID. That could easily explain the perceived low success rate of